List available SSL/TLS certificates

When you open the SSL tab, the ALOHA displays the list of the SSL/TLS certificate it contains, including the following information:

Name

Label used to reference this certificate in HAProxy's configuration

Domain

Common Name (or CN) of the certificate

Not Before

Date from when the certificate is valid

Not After

Date until when the certificate is valid. When a certificate expires, this date appears in bold red.

Verify

State of the validation of the certificate. The following states are available:

Broken chain

When a certificate chain is incomplete or the full chain cannot be validated (outdated intermediary, etc.)

CA only (no key)

When a certificate can be used to validate client certificates only.

Incomplete

When either the private Key and the certificate or the certificate is missing

Valid

When everything is fine and safe

Self-Signed

When the certificate was generated and signed by the ALOHA itself

Example of an SSL tab output:

Create a new SSL/TLS certificate

The creation of a new certificate involves three main steps:

Give a Name to this certificate: this is the reference of this certificate. This name is used in HAProxy's configuration to point to this certificate.

Handle the private key. You have two options:

Generation of a new private key

Upload of an existing private key

Handle the certificate itself, either by:

generating a certificate request (CSR), and then generating a self-signed certificate

uploading an existing certificate

Choose a certificate name

Open the SSL tab and click on the new button.

Fill in the box choose SSL certificate name. Only letters, digits and underscore are allowed.

Generate a new private key

Ensure that the button generate a private key is checked.

Choose the size of the new key.

Click on the "Generate" button.

Note

If the certificate will be public facing, we recommend 2048 bits. For internal use, 1024 bits is enough.

Upload an existing private key

Ensure that the button generate a private key is checked.

You can either:

Copy/paste the key in the dedicated text area

Upload the key using the form below:

Note

If the file is password-protected, type the password in the box file or key password.

Click on the "Upload" button.

Generate a certificate request

Ensure the button generate a private key is checked.

Complete the form below:

Note

Only the Domain (CN) is required. However, if the certificate is to be published over the internet, you must complete all information.

Click on the "Request" button.

Copy/paste the CSR and send it to your certification authority to receive the permanent certificate.

In the meantime, you can start working with a self-signed certificate.

When your certificate authority replies with the permanent certificate, you can upload the certificate using the form available on the same page, or follow the procedure to update an existing certificate.

Generate a self-signed certificate

Ensure that the radio button auto-sign request is checked.

Choose the number of days you want this self-signed certificate to be valid.

Click on the "Sign" button.

Upload the certificate.

Upload an existing certificate

Ensure that the button upload certificate is checked.

You can either:

Copy/paste the certificate in the dedicated text area

Upload the key using the form below:

Note

If the file is password-protected, type the password in the box file or key password.

Click on the "Upload" button.

Create a TLS certificate to validate client certificates

To validate TLS certificates from clients, the ALOHA Load-balancer only needs a TLS certificate and not the associated private key.